CVE-2018-1000888 Information

Description

PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502 CWE-915 vulnerability in the Archive_Tar class. There are several file operations with $v_header['filename'] as parameter (such as file_exists is_file is_dir etc). When extract is called without a specific prefix path we can trigger unserialization by crafting a tar file with phar://[path_to_malicious_phar_file] as path. Object injection can be used to trigger destruct in the loaded PHP classes e.g. the Archive_Tar class itself. With Archive_Tar object injection arbitrary file deletion can occur because @unlink($this-_temp_tarname) is called. If another class with useful gadget is loaded it may possible to cause remote code execution that can result in files being deleted or possibly modified. This vulnerability appears to have been fixed in 1.4.4.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Reference

https://blog.ripstech.com/2018/new-php-exploitation-technique/ https://cdn2.hubspot.net/hubfs/3853213/us-18-Thomas-It27s-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-….pdf https://lists.debian.org/debian-lts-announce/2019/02/msg00020.html https://pear.php.net/bugs/bug.php?id=23782 https://pear.php.net/package/Archive_Tar/download/ https://security.gentoo.org/glsa/202006-14 https://usn.ubuntu.com/3857-1/ https://www.debian.org/security/2019/dsa-4378 https://www.exploit-db.com/exploits/46108/

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

8.8